ungleich-k8s/archive/v3/certificates-dns.md

46 lines
1.3 KiB
Markdown
Raw Normal View History

2021-06-09 18:14:49 +00:00
## Objective
Allow a service to acquire a DNS name and a certificate for the DNS
name.
## Potential flow
* A deployment (?) with annotations domain: xyz.example.com is created
* The DNS entry xyz.example.com pointing to the Service is created
* The certifcatce for xyz.example.com is requested/stored
* All pods get access to the certificate, serve https
2021-06-09 22:02:16 +00:00
## Certificate for a service [sketch]
* Have one pod listening on port 80 / doing certbot from time to time
* The cert is stored as a configmap (?) or other volume
* The application containers read the certificate
* ... and are restarted on ... ??
* Job+Cronjob could do the job
* Deletion of certificate?
* With the volume/configmap
* Port 80 of the IP nginx with certbot webroot
* webroot shared with certbot container
2021-06-09 18:14:49 +00:00
## DNS
* Could try to reuse existing CoreDNS
2021-06-09 22:02:16 +00:00
** Maybe even via https://coredns.io/plugins/kubernetes/
2021-06-09 18:14:49 +00:00
## Letsencrypt / Certificates for services [WIP]
* Maybe using certmanager
```
kubectl apply -f
https://github.com/jetstack/cert-manager/releases/download/v1.3.1/cert-manager.yaml
```
2021-06-20 08:27:20 +00:00
## Container flow / certificate renewal
* Assume a shell script as init
* checking for the required certificate at /etc/letsencrypt/...
* starting nginx when available, caching the checksum (in a shell variable)
* Check the file once per hour, reload nginx if it happened